Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
0
Replies

Restricting VPN access by Client OS on Cisco ASA

Ilya Geraskin
Level 1
Level 1

‎11-16-2018 02:51 AM - edited ‎03-12-2019 05:31 AM

Hi,

We need to restrict VPN Users from using routers as L2TP VPN clients. I see that the ASA recognizes their Client OS properly. But if I use client-access-rule matching these values, it doesn't work.

For instance:

sh vpn-sessiondb detail ra-ikev1-ipsec | i GP|Client
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : Microsoft
Client OS Ver: 10.0
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : MikroTik
Client OS Ver: 0.1

!!! Config

group-policy VPN-GP attributes
client-access-rule 1 deny type ZyXEL version *
client-access-rule 2 deny type *Keenetic* version *
client-access-rule 3 deny type *MikroTik* version *
client-access-rule 100 permit type * version *

What's wrong with that config? It doesn't work if I use exact matching without asterisk either.

Maybe the client-access-rule simply is not supposed to work with IPSEC VPN.

Any experience with tasks like that?

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents